Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    A C Series Controller as a RADIUS Client and TACACS+ Client

    On a C Series Controller, you can use more than one authentication method. You can configure the C Series Controller to be a RADIUS and TACACS+ client by:

    • Configuring RADIUS and TACACS+ authentication.

    • Configuring the authentication order to prioritize the order in which the C Series Controller uses configured authentication methods.

    For each login attempt, the SRC software tries the authentication methods in the order configured, until the password matches. The SRC software fails to authenticate a user either because the authentication server (RADIUS or TACACS+ server) is unavailable or because the user entered wrong credentials (username or password). If one of the authentication methods in the authentication order fails to authenticate a user, then the SRC software tries to authenticate the user through other available authentication methods in the configured order. For example, if the SRC software tries to authenticate users through TACACS+ server, and if the TACACS+ authentication fails, the SRC software tries to authenticate users through RADIUS server; and then, if the RADIUS authentication fails, the SRC software uses local password authentication. When all the three authentication methods fail, the user is denied access to the C Series Controller.

    If one of the RADIUS or TACACS+ servers among multiple configured servers is unavailable or the server fails to authenticate the user because of the invalid credentials, the SRC software tries to authenticate the user by sending requests to each of the RADIUS or TACACS+ servers in the configured order.

    If local password authentication does not appear in the prioritized list of authentication methods, the SRC software uses local password authentication last. The SRC software always uses password configured locally, whether or not it appears in the list of authentication methods to be used. As a result, users can log in to the C Series Controller through local password authentication if RADIUS and TACACS+ authentication fails.

    Figure 1 shows three authentication scenarios. In the first two, a user is authenticated while authentication servers are unavailable. In the third scenario, a user is not authenticated by any of the three authentication methods.

    Figure 1: Authentication Order: RADIUS, TACACS+, Local Password

    Authentication Order: RADIUS, TACACS+,
Local Password

    Modified: 2018-09-20